House of Credit Cards | TechSNAP 165

House of Credit Cards | TechSNAP 165

Just when you thought openSSL was safe, we’ve got a whole new round of security flaws. Plus we’ll go inside a massive online carding shop.

Then it’s your questions, our answers, and much much more!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

OpenSSL and GnuTLS flaws

  • A series of new vulnerabilities have been found in both SSL/TLS libraries
  • Latest Versions:
  • OpenSSL 0.9.8za.
  • OpenSSL 1.0.0m.
  • OpenSSL 1.0.1h.
  • CVE-2014-0224 — An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server. The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
  • CVE-2014-0221 — By sending an invalid DTLS handshake to an OpenSSL DTLS client the code can be made to recurse eventually crashing in a DoS attack. Only applications using OpenSSL as a DTLS client are affected.
  • CVE-2014-0195 — A buffer overrun attack can be triggered by sending invalid DTLS fragments to an OpenSSL DTLS client or server. This is potentially exploitable to run arbitrary code on a vulnerable client or server. Only applications using OpenSSL as a DTLS client or server affected.
  • CVE-2014-0198 — A flaw in the do_ssl3_write function can allow remote attackers to cause a denial of service via a NULL pointer dereference. This flaw only affects OpenSSL 1.0.0 and 1.0.1 where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
  • CVE-2010-5298 — A race condition in the ssl3_read_bytes function can allow remote attackers to inject data across sessions or cause a denial of service. This flaw only affects multithreaded applications using OpenSSL 1.0.0 and 1.0.1, where SSL_MODE_RELEASE_BUFFERS is enabled, which is not the default and not common.
  • CVE-2014-3470 — OpenSSL TLS clients enabling anonymous ECDH ciphersuites are subject to a denial of service attack.
  • OpenSSL 1.0.0m and OpenSSL 0.9.8za also contain a fix for CVE-2014-0076: Fix for the attack described in the paper \”Recovering OpenSSL ECDSA Nonces Using the FLUSH+RELOAD Cache Side-channel Attack”. This issue was previously fixed in OpenSSL 1.0.1g.
  • GnuTLS releases update to fix flaws as well
  • CVE-2014-3466 — A flaw was found in the way GnuTLS parsed session ids from Server Hello packets of the TLS/SSL handshake. A malicious server could use this flaw to send an excessively long session id value and trigger a buffer overflow in a connecting TLS/SSL client using GnuTLS, causing it to crash or, possibly, execute arbitrary code. The flaw is in read_server_hello() / _gnutls_read_server_hello(), where session_id_len is checked to not exceed incoming packet size, but not checked to ensure it does not exceed maximum session id length
  • Deeper analysis of the GnuTLS flaw

Inside a carding shop

  • Bryan Krebs releases his expose on the inner workings of a professional carding shop
  • This shop focused on ‘dumps’, full track data that can be written to blank cards, allowing the fraudster to take the card into a big box store, and buy large ticket items that can easily be sold for cash
  • “The subject of this post is “McDumpals,” a leading dumps shop that first went online in late April 2013. “
  • “Like many other dumps shops, McDumpals recently began requiring potential new customers to pay a deposit (~$100) via Bitcoin before being allowed to view the goods for sale. Also typical of most card shops, this store’s home page features the latest news about new batches of stolen cards that have just been added, as well as price reductions on older batches of cards that are less reliable as instruments of fraud.”
  • Bryan has a great slideshow that shows some of the regions and retails that were compromised, and what the sets of cards sell for


Round Up:

Question? Comments? Contact us here!